Example Firewalls

Example Firewalls: Multi-Server Web Application

This section describes a simplified set of firewall policies for an enterprise web application. The application is implemented using a typical 3-tier architecture: a set of load balancers distributes incoming Internet connections among a bank of web servers, and the web servers read and write to a set of database servers. All servers in the cloud are running CloudPassage Halo.

As shown in the above diagram, the servers are organized into 3 server groups: "Load Balancers", "Web Servers", and "Database Servers". The basic connections between the servers are shown in the diagram, as well as the connections with the Internet, the server administrator, and a database analyst. Note these details about this example setup:

Connections to the Halo grid (from the Halo agent running on each server) are indicated but not explicitly drawn and labeled, because you do not need to specify them when you create a policy.

The server admin and the data analyst are both shown as GhostPorts users, meaning that there must be GhostPorts rules for them in the appropriate firewall policies.

For simplicity, the diagram and the example firewall policies shown here omit other common kinds of connections that would need firewall rules, such as outbound HTTP connections from servers for downloading automatic software updates.

The diagram and the example policies shown here do not include the automatic corollary rules that Halo creates. You do not have to specify corollary rules in your policies.

Note: These example firewalls do not include any outbound default-drop rules. For the purposes of Halo evaluation, it is safest to leave all outbound communication unrestricted to avoid cutting off any necessary server access. However, we do recommend that your production firewalls include default-drop outbound rules.

Web Server Firewall Policy

These are the inbound and outbound firewall rules for the example "Web Servers" server group. Note that automatic corollary rules and rules required for agent communication are in the policy but do not appear in the portal UI because you do not have to create them. You can export the policy to view all of the rules in text format.

Policy Rules

Inbound Rules

Interface (Linux only)

Source

Service

Conn. State(s) (Linux only)

Action

Log? (Linux only)

eth0

Load Balancers

http (tcp/80)

ESTABLISHED, NEW

ACCEPT

No

eth0

Load Balancers

https (tcp/443)

ESTABLISHED, NEW

ACCEPT

No

eth0

Derek Wong [GhostPorts user]

Linux: ssh (tcp/22) Windows: RDP (tcp/3389)

ESTABLISHED, NEW

ACCEPT

Yes

any

any

any

ANY

Linux: REJECT Windows: DROP

Yes

Outbound Rules

eth0

Database Servers

Linux: mysql (tcp/3306) Windows: mssql (tcp/1433)

ESTABLISHED, NEW

ACCEPT

No

Notes

In summary, firewalls generated from this policy will do the following:

Allow inbound connections on ports 80 and 443 from any of the load balancers (plus the return of packets to them, because of automatic corollary rules).

Allow inbound SSH or RDP connections (and return packets) for a specific server administrator, if the admin has authenticated to GhostPorts.

Reject all other inbound traffic with an ICMP response and with logging (on Linux), to respond to and record direct attempts to connect to their external IP addresses.

Allow outbound packets to the group of database servers listening on port 3306 (and the return of packets from them).

Web Servers Firewall rules on Edit Policy Page (Windows)

Load Balancers Firewall Policy

These are the inbound and outbound firewall rules for the example "Load Balancers" server group. Note that automatic corollary rules and rules required for agent communication are in the policy but do not appear in the portal UI because you do not have to create them. You can export the policy to view all of the rules in text format.

Policy Rules

Inbound Rules

Interface (Linux only)

Source

Service

Conn. State(s) (Linux only)

Action

Log? (Linux only)

eth0

any (0.0.0.0/0)

http (tcp/80)

ESTABLISHED, NEW

ACCEPT

No

eth0

any (0.0.0.0/0)

https (tcp/443)

ESTABLISHED, NEW

ACCEPT

No

eth0

Derek Wong [GhostPorts user]

Linux: ssh (tcp/22) Windows: RDP (tcp/3389)

ESTABLISHED, NEW

ACCEPT

Yes

any

any

any

ANY

DROP

No

Outbound Rules

eth0

Web Servers

http (tcp/80)

ESTABLISHED, NEW

ACCEPT

No

eth0

Web Servers

https (tcp/443)

ESTABLISHED, NEW

ACCEPT

No

Notes

In summary, firewalls generated from this policy will do the following:

Allow inbound connections on ports 80 and 443 from anywhere on the Internet. (plus the return of packets to senders, because of automatic corollary rules).

Allow inbound SSH or RDP connections (and allow return packets) for a specific server administrator, if the admin has authenticated to GhostPorts.

Drop all other inbound traffic without an ICMP response and without logging (on Linux), because the load balancers face the Internet and are subject to frequent port scans.

Allow outbound connections to the group of web servers listening on ports 80 and 443 (and the return of packets from them).

Load Balancers Firewall rules on Edit Policy Page (Linux)

Database Server Firewall Policy

These are the inbound and outbound firewall rules for the example "Database Servers" server group. Note that automatic corollary rules and rules required for agent communication are in the policy but do not appear in the portal UI because you do not have to create them. You can export the policy to view all of the rules in text format.

Policy Rules

Inbound Rules

Interface (Linux only)

Source

Service

Conn. State(s) (Linux only)

Action

Log? (Linux only)

eth0

Web Servers

Linux: mysql (tcp/3306) Windows: mssql (tcp/1433)

ESTABLISHED, NEW

ACCEPT

No

eth0

Erica Westford [GhostPorts user]

Linux: mysql (tcp/3306) Windows: mssql (tcp/1433)

ESTABLISHED, NEW

ACCEPT

Yes

eth0

Derek Wong [GhostPorts user]

Linux: ssh (tcp/22) Windows: RDP (tcp/3389)

ESTABLISHED, NEW

ACCEPT

Yes

any

any

any

ANY

Linux: REJECT Windows:DROP

Yes

Outbound Rules (None created)

Notes

In summary, firewalls generated from this policy will do the following:

Allow inbound connections on port 3306 from any of the web servers (plus the return of packets to them, because of automatic corollary rules).

Allow inbound SSH or RDP connections (and the return of packets) for a specific server administrator, if the admin has authenticated to GhostPorts.

Allow inbound MYSQL or MSSQL connections on port 3306 from a specific database analyst (plus the return of packets to them, because of automatic corollary rules), if the analyst has authenticated to GhostPorts.

Reject all other inbound traffic with an ICMP response and with logging (on Linux), to respond to and record direct attempts to connect to their external IP addresses).

Related articles

Comments

A firewall is a network security framework, either equipment or programming based, that controls approaching and active system movement in light of an arrangement of guidelines. I personally am utilizing http://www.finestassignments.co.uk/ Firewall !!!